Anonymous Sources Provide No Evidence of Iran Cyber Attacks

This is the headline that should have been affixed to the New York Times’ most recent story about supposed Iranian cyber attacks against oil and natural gas companies in Saudi Arabia and Qatar, as well as banks in the United States. In fact, it is the most appropriate headline for practically all of the news reports on this topic published during the last two weeks. Thus far, the reporting has been based entirely on anonymous sources who have provided no evidence to support claims of Iranian cyber attacks.

In its most recent report on October 24, the New York Times cited a number of anonymous sources, including “intelligence officials,” “independent computer researchers,” “two people close to the investigation,” “security researchers,” and “security experts.” The Times is up front about the fact that “intelligence officials” have “offered no specific evidence to support” their claim that Iran was behind the attacks. Ten days earlier, on October 14, the Times had reported, “Among American officials, suspicion has focused on the ‘cybercorps’ that Iran’s military created in 2011…though there is no hard evidence that the attacks were sanctioned by the Iranian government.” After already reporting that anonymous officials were suspicious but lacking evidence, ten days later the Times thought it necessary to remind us all that these officials were still suspicious, and still not providing evidence for their claims. The Times did not question these suspicions or claims, however.

In some cases, it is not clear in the reporting whether allegations of Iranian cyber attacks are coming from current or former government officials. In the case of stories from Associated Press and the Washington Post, our knowledge of what the U.S. believes is based on accounts provided by “former U.S. government officials” (with an assist from the seemingly ubiquitous “cybersecurity experts”).

Senator Joseph Lieberman (I-CT) is the one American “official” who has been named consistently in news reports as claiming that Iran is behind the recent spate of cyber attacks. On September 26, the Los Angeles Timesreported:

Senate Homeland Security committee chairman Joe Lieberman (I-Conn.) said Iran has targeted the American financial system in response to U.S. sanctions placed on the country because of its nuclear program.

The Quds Force, a secretive Iran military unit blamed for terrorist activity, probably executed the cyber-attacks, he said.

But that same article goes on to report that “a group called Izz al-Din al-Qassam Cyber FIghters has claimed responsibility for the [bank] outages.” One might be tempted to believe that this group is somehow tied to Iran. In fact, as a later story in the Huffington Postnotes, the group is not Iranian and its stated motivation for the bank attacks, which it called “Operation Alababil,” was

revenge for the anti-Islam YouTube film Innocence of Muslims. […] They wrote: “Operation Alababil is revenge in response to the humiliation of the Organization of the Prophet of Islam (PBUH) by some Western countries.”

None of the stories cited above have noted the discrepancy between Senator Lieberman’s account of the attackers and their motives and the reasons given by the group that has claimed responsibility for the incidents.

Other reporting has also begun to call into question officials’ claims of Iranian involvement in attacks on Middle East oil companies. An October 25 report from Bloomberg News indicated that as intelligence officials admit “that the evidence implicating Iran in the Aramco attack is largely circumstantial,” individuals involved with the investigation of the incident “aren’t convinced that the incident was an Iranian response to the attacks on its suspected nuclear weapons program.” Instead, they believe that the attack was largely the work of a lone insider.

Claims of Iranian cyber attacks could serve several purposes. Most obvious is that they are being used by Administration officials like Secretary of Defense Leon Panetta to make the case for a possible executive order on cyber security, as well as to argue in favor of cyber security legislation.

But they also contribute to the general sense of fear and suspician surrounding Iran. They serve as one more seeming example of Iran’s nefarious use of technology, first nuclear and now cyber. As former NSA General Council, Stewart Baker, told the Associated Press, “If anybody is going to release irresponsible unlimited attacks, you’d expect it to be Iran.” Of course, though one might expect Iran to launch “irresponsible” cyber attacks, in fact, thus far the United States seems to have been the chief perpetrator with the Stuxnet attack against Iran. Nonetheless, recent reports of Iranian cyber attacks–substantiated or not–will no doubt provide one more talking point for those making the case for a military strike against Iran.

This would not be the first time that a would-be adversary suddenly emerged as a cyber threat at a time when the drums of war were growing louder. Following the attacks of 9/11, U.S. officials claimed that the greatest cyber threat to the United States came from terrorist groups like al-Qaeda. But then, in a rather sudden shift, as the Bush Administration began to press its case for war with Iraq, states suddenly became the top threat and, perhaps unsurprisingly, Iraq was identified as one of those states with a cyber warfare capability.[1] But just as Iraqi WMD never materialized, neither did its supposed cyber warfare capabilities.

In 2002, when pressed to provide evidence that Iraq was in fact supplying WMD to terrorists, Secretary of Defense Donald Rumsfeld answered simply by saying, “the absence of evidence is not evidence of absence.” Similarly, James Lewis, a leading cyber security expert from the Center for Strategic and International Studies, said, “How do they know it was Iran? You may look under your bed at night for spies and not see them, but that does not mean they are not there.”

Of course, Secretary Rumsfled and Mr. Lewis are correct. Absence of evidence does not, by itself, prove the absence of a threat. But absence of evidence is even less likely to prove the existence of a threat. Given a choice, absence of evidence is more likely to be evidence of absence than it is evidence of presence.

None of this is to say that Iran is innocent. It is perfectly conceivable that Iran has launced cyber attacks targeted at U.S. interests at home and abroad. But in the context of rising tensions between the U.S. and Iran over its nuclear program, and in the wake of the Iraq WMD fiasco, we should expect more from reporters, experts, and officials.

[Updated to include a summary of Bloomberg reporting on the Aramco investigation.]

For a detailed account of shifting official descriptions of cyber threats during the Bush Administration, see Bendrath R, Eriksson J, Giacomello G (2007) From ‘Cyberterrorism’ to ‘Cyberwar’, Back and Forth: How the United States Securitized Cyberspace. In Eriksson J, Giacomello G (eds) International Relations and Security in the Digital Age. London: Routledge. ↩

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

This is a routine problem in intelligence and the possiblity of error certainly exists. Some of the ways one could determine it is Iran include monitoring the telephone calls of Iranian officials, counter-hacking to read material on Iranian computers, the recruitment of Iranian agents to provide insight into their cyber activities, or information from third-country intelligence services. None of these are easily accessible to the public, but, if they work, they offer advantages over the forensic techniques used by the commpanies.

It’s safe to assume, given the long-standing (if sporadic) conflict between Iran and the US, the interest in tracking the Iranian nuclear effort, and the concern over Iranian activities in the Gulf, Syria and Lebanon, in Iraq and in Afghanistan (including activities against US forces), that there is already a high degree of scrutiny of iranian activities using intelligence means, perhaps using all of the techniques listed above.

We do not know which techniques have been used or their sucess rate. Exact details are not provided because this could eliminate a source (and this has happened previously with intelligence collection in Iran). It’s reasonable to say ‘I don’t trust a statement based on intelligence that I cannot verify” and there are no easy ways around this. In the US, where some degree of consent is necessary, the usual practice is to brief Congress.

So the relevents parts of Congress are provided with briefings on sources and methods and on what has been found. Ironically, while the Bush/Iraq/WMD failures have heightened public skepticism, they have if anything made the Intelligence Community more conservative in their estimates, reluctant to assign a high degree of probablity to an expanation without compelling evidence.

I assume that compelling evidence was made available to Senator Lieberman and others. It was not made available to me, but my situation is different. I still hold my clearances and in a classified setting, people I trust and who have no reason to lie to me sourced the attacks. They did not tell me how this was determined, but in that context and given my knowledge of other Iranian activities (including cyber), I accepted their statements. This was in August. Secretary Panetta and Senator Leiberman later repeated the sourcing. After I kidded the reporter who broke the Liberman story (about the Congressional propensity to leak), she somewhat indignantly stated that Lieberman wasn’t the only source, she had gotten the story from her own official sources.

This is not the Bush Administration, which preferred to shape its intelligence. There is evidence, but we cannot see it, and this makes doubt reasonable. The flip side of rejecting these reports, however, is the American propensity to ignore threats until they arrive, or as e.e. cumming put it “it took a nipponized bit of the old sixth avenue el;in the top of his head:to tell him.” I’d prefer a policy based on distrust of Iran’s leaders rather than one that dismisses risk.

The absence of transparency in attributing cyber attacks has unique impacts in the current debate over legislation that would establish standards for privately owned critical infrastructure. It is one thing for the federal government to make decisions on military or diplomatic actions based on classified information; it is quite another to compel the private sector to take action without a clear indication of threat or risk.

Threat and risk are important components that haven’t received the attention they deserve, in part because there isn’t a clear understanding by any agent – public or private. The inherent vulnerability of cyber space to unauthorized intrusion is the only given I think we can all agree on. But the subsequent threat to critical systems and the risk of successful attacks are calculations that cannot practically be considered synonymous with fundamental vulnerability.

Intelligence collected by public agents is a key component to determining threat and risk, but so are the proprietary, technical details of private information systems. So we are left with very vague public pronouncements based on piecemeal information – hardly the foundation on which to make significant investments of funds.

Its worth noting that the development of cyber space has been largely guided by open, transparent processes, especially in the adoption of common protocols (e.g., TCP/IP, IPv4, IPv6, etc). Absent this sort of openness, it is unreasonable to expect private agents to default to the federal government when it comes to cyber security.

The complexity of this issue is far greater than has been recognized thus far in the debate and is dependent upon fundamental issues not yet addressed regarding the structure and operation of cyber space.

I am surprised at these cyber attacks made by “intelligent” people. If they are so intelligent wit IT technologies they could use it for good not for frightening or just disturbing peace. Adam Mayer Chief Marketing Officer Housing Qatar accommodation in doha

This is great post, thank you for putting so much information in one post that is not just focused on the same of buzz words. The level of detail is exactly what’s missing from great post about Cyber Attacks & Cyber-Terrorism.